A common source of confusion in trainings is that when implementing security using wicket-auth-roles, you have to implement #authenticate in your own session class, but in the login form's #onSubmit you have to call #signIn.
Both #authenticate and #signIn are public and both have identical signatures. Their names mean basically the same thing too. This is rather error-prone.
I propose changing the visibility of #authenticate to protected. That way, it will still work the same as it does now, except it won't show up in code-completion anymore and won't compete with #signIn anymore.
This should not be an API break, since #authenticate is abstract anyway and is always implemented in user code. Raising visibility from protected to public is always legal, so user code should not break from this change.